Intel's commitment to making its stuff secure is called into question

Security is a process or at least an aspiration

Intel claims that "protecting our customers’ data and ensuring the security of our products is a top priority" for the semiconductor giant – however, security researcher Stefan Kanthak argues otherwise.

In an email to The Register in response to our report about the problems posed by the Manufacturing Mode in Intel's Management Engine (ME), which if left open leaves processors vulnerable to local attack, Kanthak called Intel's statement "a blatant lie."

"The statement is typical PR, and as such of no value," he said.

That may be a bit excessive. Since the Spectre and Meltdown side-channel processor vulnerabilities were disclosed earlier this year – affecting AMD, ARM, Intel and others – Intel has made a concerted effort to pay more attention to security or at least to talk about it more.

It has gone from insisting the identified exploits are not the result of bugs or flaws and pointing out that other chipmakers are also affected to hiring crisis PR firm Sard Verbinnen & Co., forming a product security group called Intel Product Assurance and Security (IPAS), delivering a series of patches, and implementing design changes in its Whiskey Lake and forthcoming Cascade Lake chips.

The Register hears from those close to Chipzilla's inner workings that the corp is sincere in its desire to make its products more secure.

Whether that sentiment translates into the ability deliver on that desire can be debated. Certainly Intel has adopted organizational changes to improve its security posture. But Kanthak argues the chipmaker's supposed security zeal hasn't yet spread throughout the company.

"The PSIRT is rather busy since Spectre/Meltdown, and the response times increased noticeably," he said, noting that he's been in regular contact with the security group for many years. "But Intel is not a one-man show, there are many independent groups and departments which create drivers and applications and their installers. The people who work on Spectre/Meltdown are typically not those who write (Windows) drivers or applications."

It's Intel's Windows-oriented software that most concerns Kanthak, in keeping with his efforts to encourage Microsoft to stop building Windows installers with vulnerable tools. He points to his recently published disclosure about Intel's Extreme Tuning Utility as an example of the chipmaker's slipshod approach.

The initial bug report was made September 4th, 2017 and, with no response, was resent again on March 22nd, 2018. Intel issued a supposed fix without any security advisory on May 22, 2018, but the vulnerability remained. There was a follow-up bug report on June 5th, 2018 and on September 11, 2018, Intel re-fixed its code, this time with an advisory.

As further evidence that Intel is slow to respond to security issues, he provided The Register with a baker's dozen of other bug reports for Intel software that were submitted in June, with the proviso that we not publish details because Intel hasn't fixed some of the flaws.

Intel code may also be vulnerable to an issue reported last year in Microsoft's .NET Framework that Microsoft has declined to fix. "After the release of Windows Vista, Intel started to use .NET Framework in many of its drivers' GUI applications," said Kanthak. "Since these applications need to be run elevated, they all allow this trivial escalation of privilege (or UAC bypass)."

The Register asked Intel for a response to Kanthak's criticism. The chipmaker offered this statement via email:

Protecting our customers and their data continues to be a critical priority for us. We follow the principles of coordinated disclosure to deploy mitigations and inform the public. Given the nature of our products, we commonly work with our customers and other third parties, including hardware, software, and services vendors, as well as end users, to develop and deploy mitigations. Effective mitigation may require all these parties to work together in coordinated cooperation.

Regarding CSME [the ME is one firmware under the umbrella term Converged Security and Management Engine], Intel recently consolidated CSME updates into quarterly packages to simplify the update process and improve predictability for our customers and partners. This makes it simpler for them to validate and apply fixes and make them available to end users.